RE: authenticating users with php&mysql

["Bastien Koert" <bastien_k@xxxxxxxxxxx>]

That is incrediably risky since you are exposing the entire db for those 
users. What about setting [limited] permissions for those users?

I woul move to a table based authentication, where you have a users table 
and one [or more] mysql accounts with the bare minimum privileges to allow 
the user to run the application. The below table structure could be the bare 
minimum.

CREATE TABLE `users` (
 `user_id` int(10) NOT NULL auto_increment,
 `user_name` varchar(50) NOT NULL default '',
 `user_password` varchar(50) NOT NULL default '',
 PRIMARY KEY  (`user_id`)
) TYPE=MyISAM AUTO_INCREMENT=1 ;

Then your code would besomething like this: (note there should be way more 
validation of the username and password before attempting to execute the 
query)

<html>
   <head><title>MySQL 
Connection</title></head>
      <body>
         <div align="centre">
            <form action="<?php echo $_SERVER[PHP_SELF];?>" 
method="POST">
               Name: <input type="text" name="txt_name"> 
               Password: <input type="password" 
name="txt_password"> 
               <br /><input type="submit" value="Submit">
         </div>
            </form>
       </body>
</html>
<?php

   $user_name = @$_POST['txt_name'];
   $user_pass = @$_POST['txt_password'];

   if ((trim($user_name) = "")&&(trim($user_pass) = ""))
   {
     echo "User not authorized. HIt the back button to login again";
     die();
   }//end if

   $db_host = "localhost";
   $db_user = $account_name;
   $db_password = $account_password;
   $db_name = "data";

   $connection = @mysql_connect ($db_host, $db_user,$db_password) or die 
("error connecting");
   echo "connection successful!";

   $sql = "select * from users where user_name =$user_name and 
user_password = '$user_pass'";
   $result = mysql_query($sql) or die("Can't query because 
".mysql_error());
   if (mysql_num_rows($result)==1)
   {
     echo "User auhorized";
   }else{
     echo "User not authorized. HIt the back button to login again";
   }//end if

?>

hth

Bastien



> From: "it clown" <php5@xxxxxxxxxxxxx>
> To: php-db@xxxxxxxxxxxxx
> Subject:  authenticating users with php&mysql
> Date: Wed, 26 Jan 2005 12:44:38 +0200
>
> Hi All,
>
> I am trying to create a page with 2 text boxes a name and a
> password with a submit button.The user must enter his
> username and password that is stored in mysql to access the
> site.
>
> With the following code i get a successfull connection with
> a blank username and password but when i enter a wrong
> username and password i get a error that is correct.
>
> <html>
>    <head><title>MySQL Connection</title></head>
>       <body>
>          <div align="centre">
>             <form action="<?php echo $_SERVER[PHP_SELF];
> ?>" method="POST">
>                Name: <input type="text"
> name="txt_name">&nbsp;
>                Password: <input type="text"
> name="txt_password">&nbsp;
>                <br /><input type="submit" value="Submit">
>          </div>
>             </form>
>        </body>
> </html>
> <?php
>    $db_host = "localhost";
>    $db_user = $_POST["txt_name"];
>    $db_password = $_POST["txt_password"];
>    $db_name = "data";
>    $connection = @mysql_connect ($db_host, $db_user,
> $db_password) or die ("error connecting");
>    echo "connection successful!";
> ?>
>
> What is the best way to authenticate users against mysql
> for login?
>
> Regards
> ______________________________________________________________
> http://www.webmail.co.za the South African FREE email service
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php